CVE-2021-42287

HIGH KEV RANSOMWARE

Active Directory Domain Services - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-42287 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 11, 2022, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including cube0x0, ricardojba, XiaoliChan.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-42287, a vulnerability in Active Directory Domain Controllers that allows domain user to domain admin privilege escalation. The exploit leverages the absence of a PAC (Privilege Attribute Certificate) in TGTs to forge tickets.

Description

Active Directory Domain Services Elevation of Privilege Vulnerability

Exploits (9)

nomisec WORKING POC 1,397 stars
by cube0x0 · poc
https://github.com/cube0x0/noPac

This repository contains a functional exploit for CVE-2021-42287, a vulnerability in Active Directory Domain Controllers that allows domain user to domain admin privilege escalation. The exploit leverages the absence of a PAC (Privilege Attribute Certificate) in TGTs to forge tickets.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Domain Controllers (pre-patch)
Auth required
Prerequisites: Domain user credentials · Vulnerable Domain Controller
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 61 stars
by ricardojba · remote-auth
https://github.com/ricardojba/Invoke-noPac

This PowerShell script is a proof-of-concept exploit for CVE-2021-42287, a privilege escalation vulnerability in Active Directory. It leverages a flaw in the SAM protocol to escalate privileges to domain admin by exploiting a writeACL vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory (SAM protocol)
Auth required
Prerequisites: Domain user credentials · Access to a vulnerable Active Directory environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 38 stars
by XiaoliChan · remote-auth
https://github.com/XiaoliChan/Invoke-sAMSpoofing

This PowerShell script exploits CVE-2021-42287, a vulnerability in Active Directory domain controllers that allows for privilege escalation via sAMAccountName spoofing. The script uses embedded base64-encoded Rubeus binaries to perform the attack.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Controllers (Windows Server)
Auth required
Prerequisites: Domain user credentials · Access to a domain-joined machine · Rubeus binary or equivalent tooling
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by TryA9ain · poc
https://github.com/TryA9ain/noPac

This repository contains a modified version of the noPac exploit for CVE-2021-42287, which combines sAMAccountName spoofing and KDC deception to achieve privilege escalation in Active Directory environments. The PoC includes optimizations such as MachineAccountQuota checks and TGT output.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Domain Services
Auth required
Prerequisites: Valid domain credentials · Machine account with a known password · Domain controller accessibility
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec TROJAN 1 stars
by DanielFEXKEX · poc
https://github.com/DanielFEXKEX/CVE-Scanner

The repository claims to be a scanner/exploiter for CVE-2021-42287 but instead contains a malicious PowerShell command that downloads and executes a remote script from a suspicious domain. No legitimate exploit or scanner code is present.

Classification
Trojan 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: none
No auth needed
Prerequisites: User execution of malicious PowerShell command
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by Chrisync · poc
https://github.com/Chrisync/CVE-Scanner

The repository describes a tool called CVE-Scanner designed to scan and exploit vulnerabilities, including CVE-2021-42287. It provides a command-line interface for scanning targets and generating reports, but no actual exploit code is present in the provided README.

Classification
Scanner 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Multiple (CVE-2021-42287, CVE-2021-42278, etc.)
No auth needed
Prerequisites: Python 3.x · Target IP or domain
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by waterrr · remote-auth
https://github.com/waterrr/noPac

This repository contains a functional exploit for CVE-2021-42287 (noPac), which chains with CVE-2021-42278 to achieve privilege escalation in Active Directory. The exploit adds a computer account, manipulates its sAMAccountName to impersonate a domain controller, and then uses Kerberos delegation to obtain a ticket for a domain admin, leading to remote code execution or hash dumping.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Domain Services
Auth required
Prerequisites: Valid domain credentials with permissions to add computer accounts · LDAP and SMB access to the domain controller · Unpatched Active Directory (pre-November 2021 patches)
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by Ridter · remote-auth
https://github.com/Ridter/noPac

This repository contains a functional exploit for CVE-2021-42287 (noPac), which chains with CVE-2021-42278 to impersonate a Domain Admin from a standard domain user. The exploit includes modules for S4U2self, computer addition via SAMR, and post-exploitation actions like shell execution and hash dumping.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Services (Windows Server)
Auth required
Prerequisites: Domain user credentials · Access to a vulnerable Domain Controller · LDAP/SMB connectivity to the DC
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by safebuffer · remote-auth
https://github.com/safebuffer/sam-the-admin

This repository contains a functional exploit for CVE-2021-42287 and CVE-2021-42278, which allows a standard domain user to impersonate a Domain Admin by exploiting a sAMAccountName spoofing vulnerability. The exploit chain involves creating a machine account, renaming it to match a DC's hostname, and then using Kerberos delegation to obtain a ticket for a Domain Admin.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Services
Auth required
Prerequisites: Valid domain user credentials · MachineAccountQuota > 0 · LDAP and SAMR access to the domain controller
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.9401
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-04-11
VulnCheck KEV 2022-04-11
InTheWild.io 2022-04-06
ENISA EUVD EUVD-2021-29262
Ransomware Use Confirmed
Status published
Products (8)
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016 2004
microsoft/windows_server_2016 < 10.0.14393.4770
microsoft/windows_server_2019 < 10.0.17763.2300
microsoft/windows_server_2022 < 10.0.20348.350
Published Nov 10, 2021
KEV Added Apr 11, 2022
Tracked Since Feb 18, 2026